/
Firewall Rules for Salesforce IP and Domains

Firewall Rules for Salesforce IP and Domains

Owned by William Boyd
Last updated: Jul 04, 2024
2 min read

The T4S Server runs on a virtual machine within your DMZ and is configured to only communicate with the various Salesforce Orgs and Sandbox’s you wish to connect to in the cloud.

This allows the Content Manager Server to remain protected within your LAN.

The T4S Server API will only accept external requests originating from a Salesforce domain, and the IIS Server is also set up with Two Way SSL, so that only pre-installed Salesforce Organization generated certificates passed in with each request are authenticated to access the T4S Server API.

When a Salesforce Org generated Self Signed Certificate expires, or a Sandbox is refreshed, a new Self Signed Certificate must be generated and installed using MMC onto the T4S Server so that IIS can authenticate the incoming request.

The newly created Certificate name must be updated within the Salesforce T4S Server configuration page, so that Salesforce T4S package knows which Salesforce Certificate to send to the T4S Server.

 

T4S Server Access to Salesforce

T4S will need to have access to your Salesforce Orgs in the cloud by Domain Name.

Here is a full list of the Salesforce Domain Names.
Allow the Required Domains (salesforce.com)

The minimum list that should be allowed are:

  • *.force.com

  • *.lightning.com

  • *.salesforce.com

  • *.visualforce.com

Salesforce Access to T4S Server

Salesforce list a large number of IP address ranges that they recommend you add to your firewall rules.

One way to determine the Salesforce IP address of the Salesforce Org that T4S will be installed in, is to follow this procedure in each Org.

  1. Within Salesforce Setup search for “Remote Site Settings“

  2. Add a new Remote Site.

    1. Remote Site Name “icanhazip“ or “IP_Address_Check“ etc.

    2. Remote Site URL “https://icanhazip.com

    3. Save

  3. Open Developer Console → Debug → “Open Execute Anonymous Window”

  4. Enter this code snippet into the window

    HttpRequest req = new HttpRequest(); req.setEndpoint('https://icanhazip.com/'); req.setMethod('GET'); Http httpReq = new Http(); HttpResponse res = httpReq.send(req); System.debug('------Org IP Address: ' + res.getBody());

  5. Check the “Open Log“ check box

  6. Execute the code

  7. The Execution Log will open, and search for the log entry “------Org IP Address:“ to find the Org IP Address

If you want to force an IPv4 lookup, use ipv4.icanhazip.com. For IPv6, use ipv6.icanhazip.com

 

Salesforce is currently migrating its servers to their Hyperforce cloud infrastructure.
There may be some Salesforce Sandbox Orgs on non-Hyperforce servers, while others are moved to the Hyperforce servers.

See Salesforce IP Addresses and Domains to Allow

To find the Salesforce Org instance, within Salesforce navigate to Setup - > Company Information, and view the “Instance“ value.
e.g. An Australian Salesforce Sandbox instance may be “AUS36S“

Use Find My Instance - Trust | Availability (salesforce.com) and enter the Salesforce instance e.g. “AUS36S“ to find out where your Salesforce Org is, and if it is running on Hyperforce.

To find Non Hyperforce IPs:

Salesforce IP Addresses and Domains to Allow

Hyperforce IPs: (Updated 29 November 2023 10:13am PDT)

See Hyperforce External IPs | Salesforce Compliance